A recently disclosed critical-severity vulnerability in discontinued Zyxel NAS devices is already exploited in botnet attacks, the Shadowserver Foundation warns.
Tracked as CVE-2024-29973, the issue is described as a code injection flaw that can be exploited remotely without authentication. It was introduced last year, when Zyxel patched CVE-2023-27992, a similar code injection bug.
“While patching this vulnerability, they added a new endpoint which uses the same approach as the old ones, and while doing so, implemented the same mistakes as its predecessors,” explains Outpost24 security researcher Timothy Hjort, who discovered and reported the security defect.
According to the researcher, an attacker can send crafted HTTP POST requests to a vulnerable device to exploit the vulnerability for remote code execution.
Late last week, the Shadowserver Foundation revealed that it had started seeing the first exploitation attempts targeting this vulnerability by a Mirai-like botnet. Technical details and proof-of-concept (PoC) code targeting this flaw are publicly available.
Zyxel released patches for CVE-2024-29973 and three other bugs in early June, but warned that the affected products, namely NAS326 and NAS542, were discontinued in December 2023.
According to Censys, as of June 27, there were roughly 1,200 Zyxel NAS326 and NAS542 devices exposed to the internet, mainly concentrated in Europe. However, it is unclear how many of these are vulnerable.
“Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers with extended support, despite the products already having reached end-of-vulnerability-support,” the company warned.
Firmware version V5.21(AAZF.17)C0 resolves the flaws for NAS326 devices. For NAS542 products, Zyxel addressed the bugs in firmware version V5.21(ABAG.14)C0.
Users are advised to update their devices as soon as possible and to consider replacing them with supported products.
Threat actors, including botnet operators, are known to have targeted vulnerabilities in Zyxel products for which patches had been released.
*Updated on June 28 with data from Censys.
Related: Edge Devices: The New Frontier for Mass Exploitation Attacks
Related: CISA Warns of Progress Telerik Vulnerability Exploitation
Related: DreamBus Botnet Exploiting RocketMQ Vulnerability to Delivery Cryptocurrency Miner
Related: Serious Vulnerability Exposes Admin Interface of Arcserve UDP Backup Solution
